def __proxy(self, vote=None, votebox=None):
try:
evlog.log(LOGSIG[self.__task] + ': ALGUS')
if ElectionState().election_on():
security = CertAnalyzer()
if security.work():
if self.__task == TASK_CAND:
return \
self.__get_candidate_list(security.valid_person())
elif self.__task == TASK_VOTE:
return self.__hts_vote(\
security.valid_person(), vote, votebox)
else:
r1, r2 = protocol.msg_error_technical()
return self.__return_error(r1, r2)
else:
evlog.log_error('Viga: "%s"' % security.logmsg)
return \
self.__return_error(security.errcode, security.errmsg)
else:
r1, r2 = ElectionState().election_off_msg()
return self.__return_error(r1, r2)
except:
return self.__return_exception()
finally:
evlog.log(LOGSIG[self.__task] + ': LõPP')
def _check_vote(self, ringkond, district, haal, line_nr):
ret = True
if haal == CORRUPTED_VOTE:
errstr = "Häält (rida=%d) ei õnnestunud dekrüptida" % line_nr
evlog.log_error(errstr)
ret = False
else:
lst = haal.split('\n')
if ((len(lst) != 4) or \
(lst[0] != evcommon.VERSION) or \
(lst[1] != self._elid) or \
(lst[3] != "")):
ret = False
else:
if not formatutil.is_valiku_kood(lst[2]):
ret = False
elif lst[2].split(".")[0] != ringkond[0]:
ret = False
if ret and self.__cnt.has_choice(ringkond, district, lst[2]):
self.__cnt.add_vote(ringkond, district, lst[2])
else:
ret = False
self._add_kehtetu(ringkond, district)
return ret
def _check_vote(self, ringkond, district, haal, line_nr):
ret = True
if haal == CORRUPTED_VOTE:
errstr = "Häält (rida=%d) ei õnnestunud dekrüptida" % line_nr
evlog.log_error(errstr)
ret = False
else:
lst = haal.split('\n')
if ((len(lst) != 4) or \
(lst[0] != evcommon.VERSION) or \
(lst[1] != self._elid) or \
(lst[3] != "")):
ret = False
else:
if not formatutil.is_valiku_kood(lst[2]):
ret = False
elif lst[2].split(".")[0] != ringkond[0]:
ret = False
if ret and self.__cnt.has_choice(ringkond, district, lst[2]):
self.__cnt.add_vote(ringkond, district, lst[2])
else:
ret = False
self._add_kehtetu(ringkond, district)
return ret
def __proxy(self, vote = None, votebox = None):
try:
evlog.log(LOGSIG[self.__task] + ': ALGUS')
if ElectionState().election_on():
security = CertAnalyzer()
if security.work():
if self.__task == TASK_CAND:
return \
self.__get_candidate_list(security.valid_person())
elif self.__task == TASK_VOTE:
return self.__hts_vote(\
security.valid_person(), vote, votebox)
else:
r1, r2 = protocol.msg_error_technical()
return self.__return_error(r1, r2)
else:
evlog.log_error('Viga: "%s"' % security.logmsg)
return \
self.__return_error(security.errcode, security.errmsg)
else:
r1, r2 = ElectionState().election_off_msg()
return self.__return_error(r1, r2)
except:
return self.__return_exception()
finally:
evlog.log(LOGSIG[self.__task] + ': LõPP')
def _count_votes(self):
dvl = DecodedVoteList(self, self.__cnt)
dvl.attach_logger(evlog.AppLog())
dvl.attach_elid(self._elid)
if not dvl.check_format(self.output_file, 'Loen hääli: '):
evlog.log_error('Häälte lugemine ebaõnnestus')
return False
return True
def _count_votes(self):
dvl = DecodedVoteList(self, self.__cnt)
dvl.attach_logger(evlog.AppLog())
dvl.attach_elid(self._elid)
if not dvl.check_format(self.output_file, 'Loen hääli: '):
evlog.log_error('Häälte lugemine ebaõnnestus')
return False
return True
def check_vote(self, mobid):
try:
bdocpython.initialize()
conf = bdocconfig.BDocConfig()
conf.load(Election().get_bdoc_conf())
alines = []
elines = []
if mobid:
alines, elines = regrights.analyze_signature_for_log(self._decoded_vote)
else:
alines, elines = regrights.analyze_vote_for_log(self._decoded_vote)
for el in alines:
evlog.log(el)
for el in elines:
evlog.log_error(el)
res = None
if mobid:
res = regrights.check_vote_hes_mobid(self._decoded_vote, conf)
else:
res = regrights.check_vote_hes(self._decoded_vote, conf)
if not res.result:
self.error.log_msg = res.error
if self.error.user_msg == "":
self.error.user_msg = evmessage.EV_ERRORS.TEHNILINE_VIGA
self.error.user_code = evcommon.EVOTE_ERROR
if not res.cert_is_valid:
self.error.user_msg = evmessage.EV_ERRORS.SERTIFIKAAT_ON_AEGUNUD
self.error.user_code = evcommon.EVOTE_CERT_ERROR
return False
ik_ver = regrights.get_personal_code(res.subject)
if self._ik != ik_ver:
self.error.log_msg = "Autentija (%s) ja allkirjastaja (%s) erinevad" % (self._ik, ik_ver)
self.error.user_msg = evmessage.EV_ERRORS.TEHNILINE_VIGA
self.error.user_code = evcommon.EVOTE_ERROR
return False
return True
except:
self.error.user_msg = evmessage.EV_ERRORS.TEHNILINE_VIGA
self.error.user_code = evcommon.EVOTE_ERROR
self.error.log_msg = exception_msg.trace()
finally:
bdocpython.terminate()
return False
def __kylm_ennistamine(self, input_list, good_list, bad_list, action_list):
for el in input_list:
code = el[0]
if not self.haaletanud(code):
bad_list.append(el)
evlog.log_error('Isik koodiga %s ei ole hääletanud' % code)
continue
user_key = htscommon.get_user_key(code)
vc = htscommon.VoteCounter()
revoked_key = ''
for vote_file in self._reg.list_keys(user_key):
if htscommon.VALID_VOTE_PATTERN.match(vote_file):
vc.inc_valid()
elif htscommon.USERREVOKED_VOTE_PATTERN.match(vote_file):
vc.inc_userrevoked()
revoked_key = vote_file
elif htscommon.AUTOREVOKED_VOTE_PATTERN.match(vote_file):
pass
elif htscommon.REVOKE_REASON_PATTERN.match(vote_file):
pass
else:
vc.inc_unknown()
if ((vc.userrevoked() == 0) or (vc.valid() > 0)):
bad_list.append(el)
evlog.log_error(\
'Isik koodiga %s ei ole oma häält tühistanud' % code)
continue
if (vc.userrevoked() > 1):
self._errmsg = 'Serveri andmestruktuurid ei ole kooskõlalised'
raise Exception(self._errmsg)
if (vc.unknown() > 0):
self._errmsg = 'Tundmatu viga häälte tühistamisel'
raise Exception(self._errmsg)
if (vc.userrevoked() == 1):
valid_key = \
htscommon.change_votefile_name(\
revoked_key, htscommon.BVALID)
act = ActionInfo()
act.set_old_name(self._reg.path(user_key + [revoked_key]))
act.set_new_name(self._reg.path(user_key + [valid_key]))
act.set_reason_name(self._reg.path(user_key + ['reason']))
act.set_timestamp(htscommon.get_votefile_time(revoked_key))
act.set_code(el[0])
act.set_name(el[1])
act.set_reason(el[2])
good_list.append(el)
action_list.append(act)
def __kylm_tyhistamine(self, input_list, good_list, bad_list, action_list):
for el in input_list:
code = el[0]
if not self.haaletanud(code):
bad_list.append(el)
evlog.log_error('Isik koodiga %s ei ole hääletanud' % code)
continue
user_key = htscommon.get_user_key(code)
vc = htscommon.VoteCounter()
valid_key = ''
for vote_file in self._reg.list_keys(user_key):
if htscommon.VALID_VOTE_PATTERN.match(vote_file):
vc.inc_valid()
valid_key = vote_file
elif htscommon.USERREVOKED_VOTE_PATTERN.match(vote_file):
vc.inc_userrevoked()
elif htscommon.AUTOREVOKED_VOTE_PATTERN.match(vote_file):
pass
elif htscommon.REVOKE_REASON_PATTERN.match(vote_file):
pass
else:
vc.inc_unknown()
if (vc.valid() > 1):
self._errmsg = 'Serveri andmestruktuurid ei ole kooskõlalised'
raise Exception(self._errmsg)
if ((vc.valid() == 0) or (vc.userrevoked() > 0)):
bad_list.append(el)
evlog.log_error(\
'Kasutaja isikukoodiga %s hääl on juba tühistatud' % \
code)
if (vc.unknown() > 0):
self._errmsg = 'Tundmatu viga häälte tühistamisel'
raise Exception(self._errmsg)
if (vc.valid() == 1):
revoked_key = \
htscommon.change_votefile_name(\
valid_key, htscommon.BUSERREVOKED)
act = ActionInfo()
act.set_old_name(self._reg.path(user_key + [valid_key]))
act.set_new_name(self._reg.path(user_key + [revoked_key]))
act.set_reason_name(self._reg.path(user_key))
act.set_timestamp(htscommon.get_votefile_time(valid_key))
act.set_code(el[0])
act.set_name(el[1])
act.set_reason(el[2])
good_list.append(el)
action_list.append(act)
def _check_logs(self):
log_lines = 0
log_lines = log_lines + self._log4.lines_in_file()
log_lines = log_lines + self._log5.lines_in_file()
log_lines = log_lines - 6
if log_lines != self.__cnt.count():
errstr = \
"Log4 ja Log5 ridade arv (%d) "\
"ei klapi häälte arvuga (%d)" % \
(log_lines, self.__cnt.count())
evlog.log_error(errstr)
return False
return True
def _check_logs(self):
log_lines = 0
log_lines = log_lines + self._log4.lines_in_file()
log_lines = log_lines + self._log5.lines_in_file()
# remove header
log_lines = log_lines - 6
if log_lines != self.__cnt.count():
errstr = "Log4 ja Log5 ridade arv (%d) "\
"ei klapi häälte arvuga (%d)" % \
(log_lines, self.__cnt.count())
evlog.log_error(errstr)
return False
return True
def _write_atomic(self, filename, data):
tmp_name = filename + '.partial'
try:
_f = open(tmp_name, 'w')
fcntl.lockf(_f, fcntl.LOCK_EX)
_f.write(data)
_f.flush()
os.fsync(_f.fileno())
_f.close()
os.rename(tmp_name, filename)
except Exception, (errno, errstr):
evlog.log_error("Faili '%s' kirjutamine nurjus" % filename)
raise Exception(errno, errstr)
def __kylm_tyhistamine(self, input_list, good_list, bad_list, action_list):
for el in input_list:
code = el[0]
if not self.haaletanud(code):
bad_list.append(el)
evlog.log_error("Isik koodiga %s ei ole hääletanud" % code)
continue
user_key = htscommon.get_user_key(code)
vc = htscommon.VoteCounter()
valid_key = ""
for vote_file in self._reg.list_keys(user_key):
if htscommon.VALID_VOTE_PATTERN.match(vote_file):
vc.inc_valid()
valid_key = vote_file
elif htscommon.USERREVOKED_VOTE_PATTERN.match(vote_file):
vc.inc_userrevoked()
elif htscommon.AUTOREVOKED_VOTE_PATTERN.match(vote_file):
pass
elif htscommon.REVOKE_REASON_PATTERN.match(vote_file):
pass
elif htscommon.VOTE_VERIFICATION_ID_FILENAME == vote_file:
pass
else:
vc.inc_unknown()
if vc.valid() > 1:
self._errmsg = "Serveri andmestruktuurid ei ole kooskõlalised"
raise Exception(self._errmsg)
if (vc.valid() == 0) or (vc.userrevoked() > 0):
bad_list.append(el)
evlog.log_error("Kasutaja isikukoodiga %s hääl on juba tühistatud" % code)
if vc.unknown() > 0:
self._errmsg = "Tundmatu viga häälte tühistamisel"
raise Exception(self._errmsg)
if vc.valid() == 1:
revoked_key = htscommon.change_votefile_name(valid_key, htscommon.BUSERREVOKED)
act = ActionInfo()
act.set_old_name(self._reg.path(user_key + [valid_key]))
act.set_new_name(self._reg.path(user_key + [revoked_key]))
act.set_reason_name(self._reg.path(user_key))
act.set_timestamp(htscommon.get_votefile_time(valid_key))
act.set_code(el[0])
act.set_name(el[1])
act.set_reason(el[2])
good_list.append(el)
action_list.append(act)
def get_response(self):
import binascii
# load a random BDOC from the ones available
otp_key = htscommon.get_verification_key(self._vote_id)
elids = self._rreg.read_string_value(otp_key, "elids")\
.value.rstrip().split("\t")
bdoc = self.__load_bdoc(random.choice(elids))
evlog.log("Sending BDOC %s with vote ID %s for verification" %\
(ksum.votehash(bdoc.get_bytes()), self._vote_id))
# check consistency
bdoc_set = set([doc.split(".")[0] for doc in bdoc.documents])
elids_set = set(elids)
if bdoc_set != elids_set:
evlog.log_error("Votes in BDOC for vote ID %s are inconsistent " \
"with registry: %s, %s" % (self._vote_id, bdoc_set, elids_set))
raise HTSVerifyException, evcommon.VERIFY_ERROR
# create question objects
questions = []
for elid in elids:
questions.append(question.Question(\
elid, "hts", Election().get_sub_reg(elid)))
# start assembling the response
ret = ""
# append questions
for quest in questions:
ret += quest.qname() + ":" + str(quest.get_type()) + "\t"
ret += "\n"
# append election IDs and votes
for votefile in bdoc.documents:
elid = votefile.split(".")[0]
ret += elid + "\t" + binascii.b2a_hex(
bdoc.documents[votefile]) + "\n"
ret += "\n"
# append choices list
for quest in questions:
tv = quest.get_voter(self._voter_code)
if tv:
ret += quest.choices_to_voter(tv)
else:
evlog.log_error("Voter not found")
self.__decrease_count()
return ret
def check_session(self, cert):
if not self.__reg.check(self.__key):
return evcommon.EVOTE_ERROR, evmessage.EV_ERRORS.SEANSS_PUUDUB
start = self.__reg.read_integer_value(self.__key, "start").value
length = Election().get_session_length() * 60
if start + length < int(time.time()):
return evcommon.EVOTE_ERROR, evmessage.EV_ERRORS.SEANSS_PUUDUB
if self.__reg.read_value(self.__key, "cert").value != cert:
evlog.log_error('Sertifikaat muutus')
return evcommon.EVOTE_CERT_ERROR, evmessage.EV_ERRORS.TEHNILINE_VIGA
return evcommon.EVOTE_OK, None
def _at(timestr, command):
proc = subprocess.Popen(("at", timestr),
stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
_, err = proc.communicate(command)
if proc.returncode != 0:
evlog.log_error(LOG_ERROR_SUBPROCESS % ("at", err))
print UI_ERROR_SUBPROCESS % ("at", err)
return None
for line in err.splitlines():
if line.startswith("job "):
_, job, _ = line.split(None, 2)
return int(job)
def get_response(self):
import binascii
# load a random BDOC from the ones available
otp_key = htscommon.get_verification_key(self._vote_id)
elids = self._rreg.read_string_value(otp_key, "elids")\
.value.rstrip().split("\t")
bdoc = self.__load_bdoc(random.choice(elids))
evlog.log("Sending BDOC %s with vote ID %s for verification" %\
(ksum.votehash(bdoc.get_bytes()), self._vote_id))
# check consistency
bdoc_set = set([doc.split(".")[0] for doc in bdoc.documents])
elids_set = set(elids)
if bdoc_set != elids_set:
evlog.log_error("Votes in BDOC for vote ID %s are inconsistent " \
"with registry: %s, %s" % (self._vote_id, bdoc_set, elids_set))
raise HTSVerifyException, evcommon.VERIFY_ERROR
# create question objects
questions = []
for elid in elids:
questions.append(question.Question(\
elid, "hts", Election().get_sub_reg(elid)))
# start assembling the response
ret = ""
# append questions
for quest in questions:
ret += quest.qname() + ":" + str(quest.get_type()) + "\t"
ret += "\n"
# append election IDs and votes
for votefile in bdoc.documents:
elid = votefile.split(".")[0]
ret += elid + "\t" + binascii.b2a_hex(bdoc.documents[votefile]) + "\n"
ret += "\n"
# append choices list
for quest in questions:
tv = quest.get_voter(self._voter_code)
if tv:
ret += quest.choices_to_voter(tv)
else:
evlog.log_error("Voter not found")
self.__decrease_count()
return ret
def __poll_auth(self):
service = MobileIDService()
rsp = service.poll_auth(self.ctx())
if rsp._Status == 'OUTSTANDING_TRANSACTION':
return protocol.msg_mobid_poll()
if rsp._Status == 'USER_AUTHENTICATED':
c1, c2 = self.ctx().verify_challenge(rsp._Signature)
if not c1:
evlog.log_error(c2)
return self.__return_mid_error('Autentimine ebaõnnestus')
return self.__get_candidate_list()
return self.__return_mid_error(rsp._Status)
def __poll_auth(self):
service = MobileIDService()
rsp = service.poll_auth(self.ctx())
if rsp._Status == 'OUTSTANDING_TRANSACTION':
return protocol.msg_mobid_poll()
if rsp._Status == 'USER_AUTHENTICATED':
c1, c2 = self.ctx().verify_challenge(rsp._Signature)
if not c1:
evlog.log_error(c2)
return self.__return_mid_error('Autentimine ebaõnnestus')
return self.__get_candidate_list()
return self.__return_mid_error(rsp._Status)
def _main(expected, cmd):
state = election.ElectionState().get()
if state == int(expected):
evlog.log(LOG_EXECUTING % cmd)
if cmd == COMMAND_START:
_execute_start()
elif cmd == COMMAND_PREPARE_STOP:
_execute_prepare_stop()
elif cmd == COMMAND_STOP:
_execute_stop()
else:
evlog.log_error(LOG_ERROR_UNKNOWN % cmd)
raise Exception
_signal_ui()
else:
evlog.log_error(LOG_ERROR_STATE % (cmd, state, expected))
_clean_reg(cmd)
def _sign_result(self, pin, input_file):
token_name = Election().get_hsm_token_name()
priv_key_label = Election().get_hsm_priv_key()
pkcs11lib = Election().get_pkcs11_path()
args = [input_file, _sig(input_file), \
token_name, priv_key_label, pin, pkcs11lib]
exit_code = 0
try:
exit_code = subprocess.call([self.sign_prog] + args)
except OSError, oserr:
errstr = "Tulemuste faili '%s' allkirjastamine nurjus: %s" % \
(input_file, oserr)
evlog.log_error(errstr)
return False
def init_auth(self, phone):
try:
evlog.log("Autentimispäring: ALGUS %s" % (phone))
if not ElectionState().election_on():
r1, r2 = ElectionState().election_off_msg()
return protocol.msg_error(r1, r2)
self.ctx().set_phone(phone)
self.ctx().generate_challenge()
service = MobileIDService()
rsp_cert = service.get_cert(self.ctx())
if not (rsp_cert._SignCertStatus == 'OK'):
return self.__return_mid_error(rsp_cert._SignCertStatus)
if rsp_cert._AuthCertStatus == 'OK':
res, err = cert_ok(rsp_cert._AuthCertData)
if not res:
evlog.log_error(err)
return self.__return_mid_policy_error()
else:
return self.__return_mid_error(rsp_cert._AuthCertStatus)
rsp = service.init_auth(self.ctx())
if rsp._Status == 'OK':
self.ctx().save_post_auth(rsp)
alog, elog = evlogdata.get_cert_data_log(
rsp._CertificateData, 'cand/auth', True)
evlog.log('Autentimispäring (%s, %s, %s, %s)' % \
(rsp._UserIDCode, rsp._UserGivenname, \
rsp._UserSurname, rsp._Challenge))
evlog.log(alog)
if elog:
evlog.log_error(elog)
return protocol.msg_mobid_auth_init_ok(\
self.ctx().sessid(), rsp._ChallengeID)
return self.__return_mid_error(rsp._Status)
except httplib.BadStatusLine, exc:
return self.__return_badstatusline_error(exc)
def _sign_result(self, pin, input_file):
token_name = Election().get_hsm_token_name()
priv_key_label = Election().get_hsm_priv_key()
pkcs11lib = Election().get_pkcs11_path()
args = [input_file, _sig(input_file), \
token_name, priv_key_label, pin, pkcs11lib]
exit_code = 0
try:
exit_code = subprocess.call([self.sign_prog] + args)
except OSError, oserr:
errstr = "Tulemuste faili '%s' allkirjastamine nurjus: %s" % \
(input_file, oserr)
evlog.log_error(errstr)
return False
def _decrypt_votes(self, pin):
input_file = self._reg.path(['hlr', 'input', 'votes'])
token_name = Election().get_hsm_token_name()
priv_key_label = Election().get_hsm_priv_key()
pkcs11lib = Election().get_pkcs11_path()
args = [input_file, self.output_file, \
token_name, priv_key_label, pin, pkcs11lib]
exit_code = 0
try:
exit_code = subprocess.call([self.decrypt_prog] + args)
except OSError, oserr:
errstr = "Häälte faili '%s' dekrüpteerimine nurjus: %s" % \
(input_file, oserr)
evlog.log_error(errstr)
return False
def _decrypt_votes(self, pin):
input_file = self._reg.path(['hlr', 'input', 'votes'])
token_name = Election().get_hsm_token_name()
priv_key_label = Election().get_hsm_priv_key()
pkcs11lib = Election().get_pkcs11_path()
args = [input_file, self.output_file, \
token_name, priv_key_label, pin, pkcs11lib]
exit_code = 0
try:
exit_code = subprocess.call([self.decrypt_prog] + args)
except OSError, oserr:
errstr = "Häälte faili '%s' dekrüpteerimine nurjus: %s" % \
(input_file, oserr)
evlog.log_error(errstr)
return False
def _revoke_vote_id(voter_code):
elec = Election()
otps = set()
for quest in elec.get_questions():
reg = elec.get_sub_reg(quest)
key = htscommon.get_user_key(voter_code)
if reg.check(key + [htscommon.VOTE_VERIFICATION_ID_FILENAME]):
otp = reg.read_string_value(key, \
htscommon.VOTE_VERIFICATION_ID_FILENAME)
otps.add(otp.value)
evlog.log("Revoking vote ID %s" % otp)
if not _delete_vote_id(otp.value):
evlog.log_error("No such vote-ID: %s" % otp)
otp.delete()
if len(otps) > 1:
evlog.log_error("The voter %s had multiple vote ID-s: %s" % \
(voter_code, ", ".join(otps)))
def __load_bdoc(self, elid):
voter_key = htscommon.get_user_key(self._voter_code)
sreg = Election().get_sub_reg(elid)
for votefile in sreg.list_keys(voter_key):
if htscommon.VALID_VOTE_PATTERN.match(votefile):
bdoc = bdocpythonutils.BDocContainer()
bdoc.load(sreg.path(voter_key + [votefile]))
bdoc.validate(bdocpythonutils.ManifestProfile("TM"))
self._voter = htscommon.get_votefile_voter(votefile)
break
if not bdoc:
evlog.log_error("No valid BDOC found for voter %s using vote ID %s" % \
(self._voter, self._vote_id))
raise HTSVerifyException, evcommon.VERIFY_ERROR
return bdoc
def init_auth(self, phone):
try:
evlog.log("Autentimispäring: ALGUS %s" % (phone))
if not ElectionState().election_on():
r1, r2 = ElectionState().election_off_msg()
evlog.log_error('Viga operatsioonil "cand", teade "%s"' % r2)
return protocol.msg_error(r1, r2)
self.ctx().set_phone(phone)
self.ctx().generate_challenge()
service = MobileIDService()
rsp = service.init_auth(self.ctx())
if rsp._Status == 'OK':
rsp._CertificateData = rsp._CertificateData.strip()
self.ctx().save_post_auth(rsp)
alog, elog = evlogdata.get_cert_data_log(
rsp._CertificateData, 'cand/auth', True)
evlog.log('Autentimispäring (%s, %s, %s, %s)' %
(rsp._UserIDCode, rsp._UserGivenname,
rsp._UserSurname, rsp._Challenge))
evlog.log(alog)
if elog:
evlog.log_error(elog)
return protocol.msg_mobid_auth_init_ok(self.ctx().sessid(),
rsp._ChallengeID)
return self.__return_mid_error(rsp._Status)
except httplib.BadStatusLine as exc:
return self.__return_badstatusline_error(exc)
except ZSI.FaultException as exc:
return self.__return_zsi_error(exc)
except:
return self.__return_exception()
finally:
evlog.log('Autentimispäring: LÕPP')
def __return_zsi_error(self, exc):
fault = "%s" % exc
evlog.log_error("Exception: %s" % fault)
# 301 comes from MobileAuthenticate
# 201 comes from GetMobileCertificate
# both mean that the user is not MID client
if fault.startswith("301") or fault.startswith("201"):
return self.__return_error(evcommon.EVOTE_MID_ERROR, get_mid_text("MID_ERROR_301"))
elif fault.startswith("302"):
return self.__return_error(evcommon.EVOTE_MID_ERROR, get_mid_text("MID_ERROR_302"))
elif fault.startswith("303"):
return self.__return_error(evcommon.EVOTE_MID_ERROR, get_mid_text("MID_ERROR_303"))
return self.__return_error(evcommon.EVOTE_MID_ERROR, get_mid_text("MID_UNKNOWN_ERROR"))
def __load_bdoc(self, elid):
voter_key = htscommon.get_user_key(self._voter_code)
sreg = Election().get_sub_reg(elid)
vote_files = []
for vfile in sreg.list_keys(voter_key):
if htscommon.VALID_VOTE_PATTERN.match(vfile):
vote_files.append(vfile)
vote_files.sort()
latest = vote_files.pop()
if latest:
bdoc = htsbase.get_vote(sreg.path(voter_key + [latest]))
if not bdoc:
evlog.log_error("No valid BDOC found for voter %s using vote ID %s" % \
(self._voter_code, self._vote_id))
raise HTSVerifyException, evcommon.VERIFY_ERROR
return bdoc
def __load_bdoc(self, elid):
voter_key = htscommon.get_user_key(self._voter_code)
sreg = Election().get_sub_reg(elid)
vote_files = []
for vfile in sreg.list_keys(voter_key):
if htscommon.VALID_VOTE_PATTERN.match(vfile):
vote_files.append(vfile)
vote_files.sort()
latest = vote_files.pop()
if latest:
bdoc = htsbase.get_vote(sreg.path(voter_key + [latest]))
if not bdoc:
evlog.log_error("No valid BDOC found for voter %s using vote ID %s" % \
(self._voter_code, self._vote_id))
raise HTSVerifyException, evcommon.VERIFY_ERROR
return bdoc
def init_auth(self, phone):
try:
evlog.log("Autentimispäring: ALGUS %s" % (phone))
if not ElectionState().election_on():
r1, r2 = ElectionState().election_off_msg()
evlog.log_error('Viga operatsioonil "cand", teade "%s"' % r2)
return protocol.msg_error(r1, r2)
self.ctx().set_phone(phone)
self.ctx().generate_challenge()
service = MobileIDService()
rsp = service.init_auth(self.ctx())
if rsp._Status == "OK":
rsp._CertificateData = rsp._CertificateData.strip()
self.ctx().save_post_auth(rsp)
alog, elog = evlogdata.get_cert_data_log(rsp._CertificateData, "cand/auth", True)
evlog.log(
"Autentimispäring (%s, %s, %s, %s)"
% (rsp._UserIDCode, rsp._UserGivenname, rsp._UserSurname, rsp._Challenge)
)
evlog.log(alog)
if elog:
evlog.log_error(elog)
return protocol.msg_mobid_auth_init_ok(self.ctx().sessid(), rsp._ChallengeID)
return self.__return_mid_error(rsp._Status)
except httplib.BadStatusLine as exc:
return self.__return_badstatusline_error(exc)
except ZSI.FaultException as exc:
return self.__return_zsi_error(exc)
except:
return self.__return_exception()
finally:
evlog.log("Autentimispäring: LÕPP")
def load_restore(self, input_list, operator):
good_list = []
bad_list = []
for el in input_list:
code = el[0]
if not self.haaletanud(code):
bad_list.append(el)
evlog.log_error('Isik koodiga %s ei ole hääletanud' % code)
continue
revoked, reason, _ = self.is_user_revoked(code)
if (not revoked):
bad_list.append(el)
evlog.log_error('Isik koodiga %s ei ole oma häält tühistanud' %
code)
continue
else:
self.restore_vote(el, operator)
good_list.append(el)
return good_list, bad_list
def load_revoke(self, input_list, operator):
good_list = []
bad_list = []
for el in input_list:
code = el[0]
if not self.haaletanud(code):
bad_list.append(el)
evlog.log_error('Isik koodiga %s ei ole hääletanud' % code)
continue
revoked, reason, _ = self.is_user_revoked(code)
if revoked:
bad_list.append(el)
evlog.log_error(
'Kasutaja isikukoodiga %s hääl on juba tühistatud' % code)
else:
# vajalik lugemisele minevate häälte nimistu koostamiseks
self.revoke_vote(el, operator)
good_list.append(el)
return good_list, bad_list
def load_revoke(self, input_list, operator):
good_list = []
bad_list = []
for el in input_list:
code = el[0]
if not self.haaletanud(code):
bad_list.append(el)
evlog.log_error('Isik koodiga %s ei ole hääletanud' % code)
continue
revoked, reason, _ = self.is_user_revoked(code)
if revoked:
bad_list.append(el)
evlog.log_error(
'Kasutaja isikukoodiga %s hääl on juba tühistatud' % code)
else:
# vajalik lugemisele minevate häälte nimistu koostamiseks
self.revoke_vote(el, operator)
good_list.append(el)
return good_list, bad_list
def load_restore(self, input_list, operator):
good_list = []
bad_list = []
for el in input_list:
code = el[0]
if not self.haaletanud(code):
bad_list.append(el)
evlog.log_error('Isik koodiga %s ei ole hääletanud' % code)
continue
revoked, reason, _ = self.is_user_revoked(code)
if (not revoked):
bad_list.append(el)
evlog.log_error(
'Isik koodiga %s ei ole oma häält tühistanud' % code)
continue
else:
self.restore_vote(el, operator)
good_list.append(el)
return good_list, bad_list
def schedule(cmd, tstruct):
sched = scheduled(cmd)
if sched:
job, timestr = sched
evlog.log_error(LOG_ERROR_SCHEDULED % (cmd, job, timestr))
print UI_ERROR_SCHEDULED % (cmd, job, timestr)
return
timestr = time.strftime(TIME_FORMAT, tstruct)
job = _at(timestr, "python -m %s %i %s" % (MODULE_AUTOCMD, EXPECTED[cmd], cmd))
if not job:
evlog.log_error(LOG_ERROR_SCHEDULE % cmd)
print UI_ERROR_SCHEDULE % cmd
return
reg = evreg.Registry(root=evcommon.EVREG_CONFIG)
reg.ensure_key(AUTOCMD_KEY)
reg.create_integer_value(AUTOCMD_KEY, _job_value(cmd), job)
reg.create_string_value(AUTOCMD_KEY, _time_value(cmd), timestr)
evlog.log(LOG_SCHEDULED % (cmd, job, timestr))
print UI_SCHEDULED % (cmd, job, timestr)
def verify_id(self, vote_id):
# check if valid vote ID
if not formatutil.is_vote_verification_id(vote_id):
# We don't know how large vote_id is, so don't write to disk
evlog.log_error("Malformed vote ID")
raise HTSVerifyException, evcommon.VERIFY_ERROR
vote_id = vote_id.lower()
otp_key = htscommon.get_verification_key(vote_id)
# check if corresponding OTP exists
if not self._rreg.check(otp_key):
evlog.log_error("No such vote ID: %s" % vote_id)
raise HTSVerifyException, evcommon.VERIFY_ERROR
self._voter_code = self._rreg.read_string_value(\
otp_key, "voter").value.rstrip()
# check if timestamp is OK
current = int(time.time())
created = self._rreg.read_integer_value(otp_key, "timestamp").value
timeout = Election().get_verification_time() * 60
if created + timeout < current:
evlog.log("Vote ID %s has expired" % vote_id)
self.__revoke_vote_id()
raise HTSVerifyException, evcommon.VERIFY_ERROR
# check if count is OK
count = self._rreg.read_integer_value(otp_key, "count").value
if count <= 0:
evlog.log_error("Vote ID %s count is zero, but had not been revoked")
self.__revoke_vote_id()
raise HTSVerifyException, evcommon.VERIFY_ERROR
self._vote_id = vote_id
def get_log_lines(self, root, path):
log_lines = []
for vote_file in path:
if htscommon.VALID_VOTE_PATTERN.match(vote_file):
inzip = None
lline = None
try:
lname = root + '/' + vote_file
inzip = zipfile.ZipFile(lname, 'r')
lline = inzip.read(htscommon.ZIP_LOGFILE)
except:
lline = None
evlog.log_error("Viga hääle käitlemisel: " + lname)
evlog.log_exception()
if inzip:
inzip.close()
if lline:
log_lines.append((lline, vote_file))
return log_lines
def talleta_haal(self, **args):
# Hääle tühistamisel on põhjuseks
# tühistamise põhjustanud hääle räsi
haale_rasi = ksum.votehash(args['vote'])
self.__tyhista_korduv_haal(args['signercode'], haale_rasi)
user_key = htscommon.get_user_key(args['signercode'])
self._reg.ensure_key(user_key)
voter = args['valija']
vote_file = htscommon.valid_votefile_name(args['timestamp'], voter)
user_key.append(vote_file)
filename = self._reg.path(user_key)
try:
_f = file(filename, 'w')
fcntl.lockf(_f, fcntl.LOCK_EX)
_f.write(args['signedvote'])
_f.flush()
_f.close()
except Exception, (errno, errstr):
evlog.log_error("Faili '%s' kirjutamine nurjus" % filename)
raise Exception(errno, errstr)
def talleta_haal(self, **args):
# Hääle tühistamisel on põhjuseks
# tühistamise põhjustanud hääle räsi
haale_rasi = ksum.votehash(args['vote'])
self.__tyhista_korduv_haal(args['signercode'], haale_rasi)
user_key = htscommon.get_user_key(args['signercode'])
self._reg.ensure_key(user_key)
voter = args['valija']
vote_file = htscommon.valid_votefile_name(args['timestamp'], voter)
user_key.append(vote_file)
filename = self._reg.path(user_key)
try:
_f = file(filename, 'w')
fcntl.lockf(_f, fcntl.LOCK_EX)
_f.write(args['signedvote'])
_f.flush()
_f.close()
except Exception, (errno, errstr):
evlog.log_error("Faili '%s' kirjutamine nurjus" % filename)
raise Exception(errno, errstr)
def __talleta(self, binvote):
store = HTSStore()
new_otp = False
try:
store.verify_vote(binvote)
evlog.log('Hääle allkirjastaja: %s' % store.signercode)
store.extract_questions()
store.create_actions()
store.revoke_vote_id()
vote_id = store.issue_vote_id()
evlog.log("Issued vote ID %s to %s for BDOC %s" % \
(vote_id, store.signercode, ksum.votehash(store.signed_vote)))
new_otp = True
store.store_votes()
except HTSStoreException as e:
evlog.log_error(store.log_msg)
if new_otp:
store.revoke_vote_id()
return e.ret, store.user_msg
return evcommon.EVOTE_OK, vote_id
def get_log_lines(self, root, path):
log_lines = []
for vote_file in path:
if htscommon.VALID_VOTE_PATTERN.match(vote_file):
inzip = None
lline = None
try:
lname = root + '/' + vote_file
inzip = zipfile.ZipFile(lname, 'r')
lline = inzip.read(htscommon.ZIP_LOGFILE)
except:
lline = None
evlog.log_error("Viga hääle käitlemisel: " + lname)
evlog.log_exception()
if inzip:
inzip.close()
if lline:
log_lines.append((lline, vote_file))
return log_lines
def init_auth(self, phone):
try:
evlog.log("Autentimispäring: ALGUS %s" % (phone))
if not ElectionState().election_on():
r1, r2 = ElectionState().election_off_msg()
return protocol.msg_error(r1, r2)
self.ctx().set_phone(phone)
self.ctx().generate_challenge()
service = MobileIDService()
rsp_cert = service.get_cert(self.ctx())
if not (rsp_cert._SignCertStatus == 'OK'):
return self.__return_mid_error(rsp_cert._SignCertStatus)
if rsp_cert._AuthCertStatus == 'OK':
res, err = cert_ok(rsp_cert._AuthCertData)
if not res:
evlog.log_error(err)
return self.__return_mid_policy_error()
else:
return self.__return_mid_error(rsp_cert._AuthCertStatus)
rsp = service.init_auth(self.ctx())
if rsp._Status == 'OK':
self.ctx().save_post_auth(rsp)
evlog.log('Autentimispäring (%s, %s, %s, %s)' % \
(rsp._UserIDCode, rsp._UserGivenname, \
rsp._UserSurname, rsp._Challenge))
return protocol.msg_mobid_auth_init_ok(\
self.ctx().sessid(), rsp._ChallengeID)
return self.__return_mid_error(rsp._Status)
except httplib.BadStatusLine, exc:
return self.__return_badstatusline_error(exc)
def __return_zsi_error(self, exc):
fault = "%s" % exc
evlog.log_error("Exception: %s" % fault)
# 301 comes from MobileAuthenticate
# 201 comes from GetMobileCertificate
# both mean that the user is not MID client
if fault.startswith('301') or fault.startswith('201'):
return self.__return_error(evcommon.EVOTE_MID_ERROR,
get_mid_text('MID_ERROR_301'))
elif fault.startswith('302'):
return self.__return_error(evcommon.EVOTE_MID_ERROR,
get_mid_text('MID_ERROR_302'))
elif fault.startswith('303'):
return self.__return_error(evcommon.EVOTE_MID_ERROR,
get_mid_text('MID_ERROR_303'))
return self.__return_error(evcommon.EVOTE_MID_ERROR,
get_mid_text('MID_UNKNOWN_ERROR'))
def do_cgi():
try:
elec = election.Election()
evlog.AppLog().set_app(APP)
# Create a list of pairs from the form parameters. Don't use a dictionary
# because that will overwrite recurring keys.
form = cgi.FieldStorage()
params = []
for key in form:
for value in form.getlist(key):
params.append((key, value))
# Only accept up to a single parameter
if len(params) > 1:
def keys(pairs):
"""Return a comma-separated list of the keys."""
return ", ".join([pair[0] for pair in pairs])
evlog.log_error("Too many query parameters: " + keys(params))
bad_parameters()
return
# Only accept the POST_VERIFY_VOTE parameter.
if len(params) and params[0][0] != evcommon.POST_VERIFY_VOTE:
evlog.log_error('Unknown query parameter "%s"' % params[0][0])
bad_parameters()
return
# Make sure the parameter is correctly formatted.
if not formatutil.is_vote_verification_id(params[0][1]):
# Don't write to disk; we don't know how large the value is
evlog.log_error("Malformed vote ID")
bad_parameters()
return
evlog.log("verif/auth REMOTE_ADDR: " + evlogdata.get_remote_ip())
evlog.log("verif/auth VOTE-ID: " + params[0][1])
params.append((evcommon.POST_SESS_ID, sessionid.voting()))
url = "http://" + elec.get_hts_ip() + "/" + elec.get_hts_verify_path()
conn = urllib.urlopen(url, urllib.urlencode(params))
protocol.http_response(conn.read())
except:
evlog.log_exception()
technical_error()
def do_cgi():
try:
elec = election.Election()
evlog.AppLog().set_app(APP)
# Create a list of pairs from the form parameters. Don't use a dictionary
# because that will overwrite recurring keys.
form = cgi.FieldStorage()
params = []
for key in form:
for value in form.getlist(key):
params.append((key, value))
# Only accept up to a single parameter
if len(params) > 1:
def keys(pairs):
"""Return a comma-separated list of the keys."""
return ", ".join([pair[0] for pair in pairs])
evlog.log_error("Too many query parameters: " + keys(params))
bad_parameters()
return
# Only accept the POST_VERIFY_VOTE parameter.
if len(params) and params[0][0] != evcommon.POST_VERIFY_VOTE:
evlog.log_error("Unknown query parameter \"%s\"" % params[0][0])
bad_parameters()
return
# Make sure the parameter is correctly formatted.
if not formatutil.is_vote_verification_id(params[0][1]):
# Don't write to disk; we don't know how large the value is
evlog.log_error("Malformed vote ID")
bad_parameters()
return
evlog.log("verif/auth REMOTE_ADDR: " + evlogdata.get_remote_ip())
evlog.log("verif/auth VOTE-ID: " + params[0][1])
params.append((evcommon.POST_SESS_ID, sessionid.voting()))
url = "http://" + elec.get_hts_ip() + "/" + elec.get_hts_verify_path()
conn = urllib.urlopen(url, urllib.urlencode(params))
protocol.http_response(conn.read())
except:
evlog.log_exception()
technical_error()
def _decrypt_votes(self, pin):
input_file = self._reg.path(['hlr', 'input', 'votes'])
token_name = Election().get_hsm_token_name()
priv_key_label = Election().get_hsm_priv_key()
pkcs11lib = Election().get_pkcs11_path()
args = [input_file,
self.output_file,
token_name,
priv_key_label,
pin,
pkcs11lib]
exit_code = 0
try:
exit_code = subprocess.call([self.decrypt_prog] + args)
except OSError as oserr:
errstr = "Häälte faili '%s' dekrüpteerimine nurjus: %s" % \
(input_file, oserr)
evlog.log_error(errstr)
return False
if exit_code == 0:
return True
if exit_code > 0:
errstr2 = "Tundmatu viga"
if exit_code in G_DECRYPT_ERRORS:
errstr2 = G_DECRYPT_ERRORS[exit_code]
errstr = \
"Häälte faili '%s' dekrüpteerimine nurjus: %s (kood %d)" % \
(input_file, errstr2, exit_code)
evlog.log_error(errstr)
return False
errstr = "Häälte faili '%s' dekrüpteerimine nurjus (signaal %d)" % \
(input_file, exit_code)
evlog.log_error(errstr)
return False
def _decrypt_votes(self, pin):
input_file = self._reg.path(['hlr', 'input', 'votes'])
token_name = Election().get_hsm_token_name()
priv_key_label = Election().get_hsm_priv_key()
pkcs11lib = Election().get_pkcs11_path()
args = [
input_file, self.output_file, token_name, priv_key_label, pin,
pkcs11lib
]
exit_code = 0
try:
exit_code = subprocess.call([self.decrypt_prog] + args)
except OSError as oserr:
errstr = "Häälte faili '%s' dekrüpteerimine nurjus: %s" % \
(input_file, oserr)
evlog.log_error(errstr)
return False
if exit_code == 0:
return True
if exit_code > 0:
errstr2 = "Tundmatu viga"
if exit_code in G_DECRYPT_ERRORS:
errstr2 = G_DECRYPT_ERRORS[exit_code]
errstr = \
"Häälte faili '%s' dekrüpteerimine nurjus: %s (kood %d)" % \
(input_file, errstr2, exit_code)
evlog.log_error(errstr)
return False
errstr = "Häälte faili '%s' dekrüpteerimine nurjus (signaal %d)" % \
(input_file, exit_code)
evlog.log_error(errstr)
return False
def _sign_result(self, pin, input_file):
token_name = Election().get_hsm_token_name()
priv_key_label = Election().get_hsm_priv_key()
pkcs11lib = Election().get_pkcs11_path()
args = [
input_file,
_sig(input_file), token_name, priv_key_label, pin, pkcs11lib
]
exit_code = 0
try:
exit_code = subprocess.call([self.sign_prog] + args)
except OSError as oserr:
errstr = "Tulemuste faili '%s' allkirjastamine nurjus: %s" % \
(input_file, oserr)
evlog.log_error(errstr)
return False
if exit_code == 0:
return True
if exit_code > 0:
errstr2 = "Tundmatu viga"
if exit_code in G_SIGN_ERRORS:
errstr2 = G_SIGN_ERRORS[exit_code]
errstr = \
"Tulemuste faili '%s' allkirjastamine nurjus: %s (kood %d)" % \
(input_file, errstr2, exit_code)
evlog.log_error(errstr)
return False
errstr = "Tulemuste faili '%s' allkirjastamine nurjus (signaal %d)" % \
(input_file, exit_code)
evlog.log_error(errstr)
return False
def check_vote(self, mobid):
try:
bdocpython.initialize()
conf = bdocconfig.BDocConfig()
conf.load(Election().get_bdoc_conf())
alines = []
elines = []
if mobid:
alines, elines = \
regrights.analyze_signature_for_log(self._decoded_vote)
else:
alines, elines = \
regrights.analyze_vote_for_log(self._decoded_vote)
for el in alines:
evlog.log(el)
for el in elines:
evlog.log_error(el)
res = None
if mobid:
res = regrights.check_vote_hes_mobid(self._decoded_vote, conf)
else:
res = regrights.check_vote_hes(self._decoded_vote, conf)
if not res.result:
self.error.log_msg = res.error
if self.error.user_msg == '':
self.error.user_msg = evmessage.EV_ERRORS.TEHNILINE_VIGA
self.error.user_code = evcommon.EVOTE_ERROR
if not res.cert_is_valid:
self.error.user_msg =\
evmessage.EV_ERRORS.SERTIFIKAAT_ON_AEGUNUD
self.error.user_code = evcommon.EVOTE_CERT_ERROR
return False
ik_ver = regrights.get_personal_code(res.subject)
if self._ik != ik_ver:
self.error.log_msg = \
'Autentija (%s) ja allkirjastaja (%s) erinevad' % \
(self._ik, ik_ver)
self.error.user_msg = \
evmessage.EV_ERRORS.TEHNILINE_VIGA
self.error.user_code = evcommon.EVOTE_ERROR
return False
return True
except:
self.error.user_msg = evmessage.EV_ERRORS.TEHNILINE_VIGA
self.error.user_code = evcommon.EVOTE_ERROR
self.error.log_msg = exception_msg.trace()
finally:
bdocpython.terminate()
return False
